or if you just want to read about it you can do so via his documentation page. I can't really explain it much more than this. I haven't listened to the podcast yet, just glanced at the documentation page.

Link to post

Share on other sites

Advertising

HawkMan 5,229

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer.

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one.

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.

Share this post

Link to post

Share on other sites

+warwagon 10,661

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer.

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one.

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.

Share this post

Link to post

Share on other sites

sc302 1,481

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

Share this post

Link to post

Share on other sites

primexx 372

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

iris scan + facial recognition is a little redundant. it's still just 1 factor, albeit slightly more accurate & precise than each alone. doesn't exactly make things any more secure than existing solutions though.

Share this post

Link to post

Share on other sites

sc302 1,481

Usernames and passwords aren't/haven't ever been the problem; their management is. That's the long and short of it.

Also, I wouldn't trust my phone with so much top shelf private information. That's like writing it on paper and hiding under the keyboard. Or house keys under the floor mat.

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops and documentation for other entities. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.

0

Share this post

Link to post

Share on other sites

Phouchg 2,050

Phouchg 2,050

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.

I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

0

Share this post

Link to post

Share on other sites

sc302 1,481

sc302 1,481

I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.

Share this post

Link to post

Share on other sites

Phouchg 2,050

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.

That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.

Share this post

Link to post

Share on other sites

HawkMan 5,229

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.

Share this post

Link to post

Share on other sites

Phouchg 2,050

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.

If you have something to hide, you probably shouldn't be doing it in the first place. Now where have I heard this particularly unconvincing sentence...

0

Share this post

Link to post

Share on other sites

sc302 1,481

sc302 1,481

That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.

Remember this about security, if has been created by man it can be broken by man. Security has to be forever evolving. There is no way to protect indefinitely unless on a completely closed system that is not accessible from any other network other than itself. People are always finding new security holes even after a system has been deemed secure. So investing in ways to protect our systems in its entirety will never happen as there will always be someone who can circumvent it.

Take the best safe in the world there isn't anyone who couldn't break through if given enough time, even if they only had a chisel and a hammer. That is security in a nutshell.

+warwagon 10,661

I've even been contacted by the W3C, the HTML5 spec editor, who says authentication and login is like a serious problem, no one has solved it yet, this looks wonderful, let's talk. So...

I do have a page of all of that other stuff that people are finding, just so it has a place to live, so I can say, yeah, we've seen all of that, and none of it is the same. There's even been some people saying, like showing me patents. And if you look at the diagram on the patent, it's got 26 different things all pointing at each other. And it's like, okay, look at my picture, and look at their picture. There's just no comparison.

Yes. Now, imagine in a library or a public kiosk. What this literally lets you do is snap a QR code that's being displayed on a computer you do not trust. And without entering any of your credentials, you're logged in. So, I mean, so that's really a change. That's really cool.

That part would be great, as well.

Steve: They all do. In fact, we can skip the first one because he was just asking, he says he loves the SQRL idea, but he doesn't have a smartphone. So we've covered that. You will be able to use desktop clients. Oh, and other advantage of the desktop client, because people have asked about browser plugins to do SQRL, well, first of all, browser plugins are kind of scary because they're in the browser, and you wonder about the browser's security.

Share this post

Link to post

Share on other sites

+warwagon 10,661

God this not being able to edit your first posts and titles anymore really SUCKS!

Any who .. They have given SQRL A new Acronym .. Secure Quick Reliable Login.

too many people were associating this thing with QR codes. This thing does not have to rely on something you take pictures of AT ALL!. It could also be something you just click via browser plugin. In any case there is a bunch more new information on the page.